If your email has ever been hacked or, worse yet, your banking login has been compromised, you know that wretched feeling of being virtually exposed. After you've taken the initial steps, what then? One option for keeping your passwords safe is using a password manager. The idea behind these storage systems is to have someone else safeguard all your pa$$words and $ign0nphras3s from loser hackers with nothing better to do than make your life miserable.
So what happens when your password manager gets hacked, and your deepest, darkest secret passwords (b00b00kitty, Studmuff!n, h0tl0vinmama) — the ones to your bank accounts, your photo cache, your email, your Facebook page, even your online dating profile — are suddenly at risk?
There have been several high-profile hacks in recent years (including, ironically, one for the LastPass password management system), and each episode spurs another round of eyebrow-furrowing among Internet users who are constantly bombarded with news of hackers stealing personal information.
The Yahoo hack. Sony hack. The LastPass hack. The Celebrity iPhone Nude Photos hack. The Target hack. The federal government's Office of Personnel Management hack. News broke recently that the St. Louis Cardinals baseball team was hacked — allegedly by the rival Houston Astros.
Password managing software is supposed to help. And, clearly, it's better than going with no protection at all. Or using the same, stupid, worn-out passwords. (The most popular password several years running? 123456.)
But is it enough?
How they work
Password managers are designed for security, with the added benefit that users must remember only one password — the master password to their account. All the other passwords in your online life — to bank accounts, photos, email, Facebook and that online "h0tl0vinmama" dating profile — are changed into something much harder to crack and stored in the service's vault.
In these systems, all passwords are sent through numerous mathematical algorithms that scramble and encrypt them. According to this Macworld article, when you type in a password, a password manager service doesn't check it against a password stored someplace in cyberspace. Instead, they "hash" it up with a proprietary algorithm, come up with something else entirely and check that against the first time you signed on, when that same algorithm was run on the password. If, after all that hashing, they match, you're good to go.
Most services have additional layers of security that make cracking passwords and getting sensitive information extremely difficult. Still, critics point out that hunting down passwords and bowling past security is what hackers do. They live for it.
And, they say, anything that's stored in the cloud — anything — is a target.
What you can do
Many critics of cloud-based password services advise, first, to get off the cloud. They favor services that store all that critical information locally, on your computer or, say, your phone. It's harder to steal.
Whether you do that or stick with the cloud, another important step to take to protect your passwords is called two-factor authorization (alternately, two-step verification). Many sites now employ this security method, and the list is growing. It works, simply and generally, like this:
You sign on with your username and a password. The site you're trying to sign onto sends you a text message with a unique code. You type in that code. You're in.
It can work other ways, as with a built-in code generator on your phone. In any case, two-factor authorization (2FA) adds that critical second step. It's increasingly recommended because you not only need a password (which is hackable, so you need to have something else, like your phone, which hackers probably won't have).
Google has a simple video explaining its two-step verification process.
Other steps to take
Security experts say never use the same username and password at more than one account. If a hacker cracks one, others are in danger. Many password managers will take care of this for you, generating a unique code for each site.
If you don't use a password manager, make sure you vary your passwords, and make sure they're strong passwords — random strings with added characters and symbols if possible. And find a safe way to remember them. There are sites that will generate random passwords for you. Google has more tips here.
Nothing is 100 percent hack-proof. Crooks, being crooks, will try to steal your identity or info — or money — any way they can. But if you're careful, if you're vigilant, if you're nimble enough, you can stay safe online.
And no one will ever know your secrets, Studmuff!n.
This story was written in June 2015 and has been updated with more recent information.